NMap tutorial - part one

Discussion in 'Computer Security' started by zebulebu, Aug 14, 2007.

  1. zebulebu

    zebulebu Terabyte Poster


    This tutorial is aimed at helping those who want to understand what NMap is, what it can do (and, of course, what it is NOT and what it CANNOT do). It should help not only the curious, but also people studying for their C|EH certification (NMap is the de facto standard tool used for gathering information about remote systems and it is therefore essential that anyone wishing to pass the C|EH exam is intimately familiar with NMap and its usage)


    The tutorial will try to explain things in as simple a way as possible, but there is some basic knowledge that the average user will need to make the most of the information contained here. Basic familiarity with the TCP/IP stack is essential - this does not need to be extensive, but the reader should be familiar with IP addressing, usage of TCP ports, know what UDP is and how TCP sessions are established. I will try to explain some of these concepts in more detail, so if you’re not that familiar with them hopefully as I go along you’ll pick it up. If you have no knowledge of networking, then before you read this series, grab a quick couple of hours with a good basic networking book, or visit one of the many tutorial sites available on the net. For those who are familiar with networking concepts, please ignore the basic stuff as I go along (remember, everyone has to start from the beginning - don’t get too impatient if some of this sounds like I’m trying to teach you to suck eggs!)

    If you want to follow along with some of the examples, it would be best to run them from a Linux machine. This isn’t an exercise in Windows-bashing - its just that the Linux version of NMap (the original version) just runs better. Also, M$, in their infinite wisdom, didn’t follow RFC standards when implementing the TCP/IP stack in Windows, so some of the advanced types of scans flat out will not work under Windows. A decent sniffer is also a must to enable you to capture scan output in ‘real time’ so you can see what’s happening ‘under the bonnet’. My favourite - and the industry standard - is Wireshark, but TCPDump or something similar will work just as well.

    Finally - and this is very important - please understand that some people get extremely tetchy about you running scans against their networks. Think about it this way: remember how pissed you get when kids run up and bang on your door then run away again? Imagine that scenario and you’ll understand how Network Admins feel when they have to deal with IDS alerts firing off left right and centre when some skr1pt k1dd1e comes knocking on their firewall. Use the information you gain from these tutorials wisely, and with discretion.

    What is NMap?

    “If you know the enemy and know yourself you need not fear the results of a hundred battles”

    Put simply, NMap is the Blue Riband of network scanners. Every Security and Network Admin worth their salt knows what NMap is and how to use it. Even if they have nothing more than a passing familiarity with it, they understand its power and the fact that probably 90% of the world’s hackers use it to scan networks for vulnerable systems. That said, NMap should not be perceived as a ‘bad guy’ tool - far from it. Using NMap you can evaluate your own security as a hacker would see it - which is absolutely invaluable if the best security possible is to be achieved.

    NMap is designed to detect any open (and closed! and filtered! and firewalled!) ports on a computer and to determine which services may be running on those ports. It can also be used to ‘fingerprint’ the Operating System of the target machine - by analysing the manner in which the machine responds to the scan, NMap can make a guess (at varying degrees of accuracy) as to what OS the target may be running. As you can probably imagine, such a tool is absolutely invaluable to a hacker, as it enables them to concentrate their energies on running exploits that may be germane to the services running and Operating System running on the target, rather than attempt thousands of exploits which have no chance of succeeding.

    NMap has a myriad of options for running scans, with hundreds of combinations of scan types possible. It is a command line tool (though a GUI does exist for both the Windows and Linux versions) and should, in this author’s opinion, be run from it’s native environment. Only by running NMap from the command line will you be able to understand and appreciate exactly what NMap is doing - and become familiar with the required options and switches that will set you on the road to understanding how an attacker would use the tool to attempt to gather information about your network.

    Getting hold of NMap

    NMap is available from Insecure.org at the following URL: http://insecure.org/nmap/
    Please consider donating should you need to download it - although NMap is 100% free and Open Source (released under the GPL) the guys and gals who develop it need your support in order to continue to develop/provide the tool. Most Linux distros come with NMap as an available package - my personal preference is to run it from the excellent BackTrack Live CD. This CD is a bootable distro based on SLAX and designed for penetration testing/auditing and should be the first thing any serious Security Admin downloads. For the Linux neophyte, although I strongly recommend you run it in it’s ‘home’ environment, Windows binaries are available from the download section of the NMap site here: http://insecure.org/nmap/download.html

    Once NMap is installed (I won’t go into how to do that from here - it’s as simple as can be and there are instructions provided in the readme files for all versions) you’re probably going to want to jump straight in and start scanning. As is usually the case with well-supported open-source tools, NMap comes with a fantastic ManPage (Manual for Linux n00bs) which will provide you with everything you need to know to use the tool. However, if you were the sort of person who ‘RsTFM’ then you wouldn’t be reading this tutorial now would you? ;)

    Understanding the basics of NMap and scanning theory

    To understand how NMap works, I recommend reading the following basics of the TCP session initiation process. It is absolutely essential that you understand how a TCP session is established, maintained and closed before starting to use NMap in anger. Failure to do this will ensure that not only will you not even begin to understand how powerful NMap can be, but you will also miss out on scanning functionality that could mean your scans miss systems that are ‘live’. If you already understand TCP Sessions, then skip this bit to get to the good stuff!

    TCP is a STATEFUL protocol. That means that it is ‘reliable’ in a networking sense - i.e. packets are delivered according to a proper, managed process, allowing for much more accurate delivery than is possible with a ‘stateless’ or ‘connectionless’ protocol, such as UDP. Consider the following analogy. If a paperboy checks the address on his route, walks up your garden path and pushes the paper through the correct letterbox, that is akin to a ‘stateful’ protocol, like TCP. If the paperboy instead rides down your road and chucks papers at random towards any old doorstep or - as used to be the case when I was a kid - just dumps all the papers in the canal, that is akin to UDP.

    In order to ensure this reliability, TCP requires that ‘sessions’ be established and maintained so that an accurate record can be kept of what is occurring with the packets in that transmission. A TCP session is initially established by means of what is commonly known as the ‘Three Way Handshake’.


    The ‘three way handshake’ begins with the initiating machine sending a single ‘SYN’ packet to the target machine (SYN is short for ‘Synchronise’). Once the target machine receives the SYN packet, providing it is willing to open a session with the initiating machine, it sends a ‘SYN/ACK’ packet back, indicating that it is willing to open a session with it (ACK is short for ‘Acknowledge’). When the listening machine receives that packet, it knows that the session can be established, and sends a final ACK packet telling the target machine that the session is now established and data transmission can begin. This is, admittedly, a pretty rudimentary explanation of the theory of ‘state’ and session management, but once you understand these basic principles, you will be able to grasp a lot of the more complex options NMap provides.

    Your first scan!

    So, with that out of the way, I’m sure you’re dying to try your first actual scan of a machine. Go ahead and fire up a command prompt/shell. If you ignored all my earlier advice and plumped for the Windows version, you’ll need to navigate to NMap’s install directory. You’ll also need a target IP address to run your scan against. At this stage, I STRONGLY suggest that you identify a host on your network that you are familiar with, and that you know will not result in the local Security Admin coming and issuing some severe slappage should your scan be detected. In fact, since we will be using the noisiest scan known to man (a TCP Connect scan - more on the differences between scan types in the next instalment of this series) it is imperative that you alert whomever is responsible for security in your environment - lest ye fall victim to the dreaded P45 :biggrin If you want to go ahead and scan an IP without knowing the full consequences of your actions, then so be it - just don’t say I didn’t warn you beforehand!

    Once you’re ready to go, type the following:

    nmap <ip address> -sT - e.g. nmap -sT

    Since this is a host on your local network - you DID follow my advice and scan a host on your LAN, right? :) - the results should be returned pretty swiftly. They will look something like the following:


    Your output will probably be quite different to mine, but as you can see from the output of this test scan I just ran against a box in my lab, a number of open ports have been discovered on the scanned machine, including ports 21, 25, 135, 139 and 445. Already you should be able to see the value of NMap - even at this basic level - as you can see I have now discovered that the box I ran the scan against is running with FTP and SMTP ports open, and is also running services normally associated with a Windows machine (ports 135, 139 and 445 are all associated with SMB running on TCP/IP - Windows filesharing). Looking further down the scans you can also see that the scanned machine is running some services that may look a little odd. For instance, port 8081 appears to be up - and NMap has reported that this is the port that something called ‘BlackIce-IceCap’ runs on. A quick spot of Googling provides the information that this is a security monitoring program that is often used by hackers! However, as you will see in the next tutorial, results of such clumsily cobbled together ‘default’ scans are often inaccurate - as it happens, in this case, I know for a fact that the service running on Port 8081 is McAfee’s AV Framework service. NMap can be fine-tuned to enumerate exactly what software is running on a particular port - rather than hazarding an uneducated guess, as in this case.

    Going Further

    As you should already be able to see from this brief introduction, NMap is an excellent tool. In the next section I’ll take you a little deeper into the functionality of the tool, explain some different types of scans that can be performed and introduce concepts such as OS fingerprinting and Service Enumeration. This is where NMap really becomes invaluable to the Security/Network Admin!
    Certifications: A few
    WIP: None - f*** 'em
    BraderzTheDog likes this.
  2. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    great read zeb! :biggrin
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  3. zimbo
    Honorary Member

    zimbo Petabyte Poster

    wow!!! Thanks and looking forward to more - PINNED! 8)
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  4. Theprof

    Theprof Petabyte Poster

    Great job on the tutorial Zeb.
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
  5. fortch

    fortch Kilobyte Poster

    Nice start zeb!
    Certifications: A+,Net+,Sec+,MCSA:Sec,MCSE:Sec,mASE
  6. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    Cool beans.. nicely written Zeb 8)
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  7. The Zig

    The Zig Kilobyte Poster

    Great post! Thanks! (rep++)

    Is there a second part to this then?
    I tried the Google site search but... computer says no.
    Certifications: A+; Network+; Security+, CTT+; MCDST; 4 x MTA (Networking, OS, Security & Server); MCITP - Enterprise Desktop Support; MCITP - Enterprise Desktop Administrator; MCITP - Server Administrator; MCSA - Server 2008; MCT; IOSH; CCENT
    WIP: CCNA; Server 2012; LPIC; JNCIA?
  8. zebulebu

    zebulebu Terabyte Poster

    Hi Zig - cheers for the comment!

    Unfortunately, I think the second and third parts ended up getting shelved due to work commitments at the time. That and the fact that it was written originally for an audience whose technical prowess I seriously overestimated meant I never got round to doing the other parts. it was soul-destroying spending twenty minutes explaining the basic difference between TCP and UDP to people who were (allegedly) already seasoned (2+ years' experience) network engineers...

    I might get round to doing it again in the future - at least i wouldn't have to 'modify' it for a forum this time! :biggrin
    Certifications: A few
    WIP: None - f*** 'em
  9. stevejack

    stevejack New Member

    Awesome tools for the security analyzer.you can get a UI frontend for it called Zenmap. That will make using it a little easier. Also a good way to play around and learn what everything does.The software is constantly revised and updated to include the latest cutting edge features and functions.
  10. JonnyMX

    JonnyMX Petabyte Poster

    Hi Steve.

    Isn't the R4i card the gizmo that lets you put cracked iso's onto a DS?

    Certifications: MCT, MCTS, i-Net+, CIW CI, Prince2, MSP, MCSD
  11. cisco lab rat

    cisco lab rat Megabyte Poster


    This forum needs more technical articles, more how to guides from more members. Logic will determine that more people will stay and contribute

    Well done Zeb
    Certifications: Yes I pretty much am!!
    WIP: Fizzicks Degree
  12. fliquid

    fliquid Nibble Poster

    I know you've been busy with Portal 2, but is there any chance of the second part being around soon? :cheeseyg
    Certifications: MCDST, A+, N+, S+, ITIL v3F, 70-642
  13. diesel

    diesel Bit Poster

    I'm not sure a second part is needed.

    It is common knowledge that to bypass any security system all that is needed is an ability to hit the keys on your keyboard as fast as you can whilst a timer ticks down on your screen. Successful entry to the system should always be announced to your buddies by screaming " I'm in !"
  14. Inaserty

    Inaserty New Member

    Nice start zeb!
  15. Inaserty

    Inaserty New Member

    i also need to know!

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.